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METHOD AND SYSTEM FOR ADAPTIVE 
NETWORK SECURITY USING NETWORK 
VULNERABILITY ASSESSMENT 

CROSS-REFERENCE TO RELATED S 
APPLICATIONS 

This application is related to U.S. patent application Ser. 
No. 09/223,072, entitled "Domain Mapping Method and 
System", filed Dec. 29, 1998, pending, and U.S. patent 1Q 
application Ser. No. 09/223,071 entitled "Method and Sys- 
tem for Adaptive Network Security Using Intelligent Packet 
Analysis", filed Dec, 29, 1998, pending. 

TECHNICAL FIELD OF THE INVENTION 

15 

The present invention relates in general to computer 
network security and, more particularly, to a method and 
system for adaptive network security using network vulner- 
ability assessment. 

20 

BACKGROUND OF THE INVENTION 

Network security products such as intrusion detection 
systems (ID systems) and firewalls can use a passive filter- 
ing technique to detect policy violations and patterns of 
misuse upon networks to which the Security products are 25 
coupled. The passive filtering technique usually comprises 
monitoring traffic upon the network for packets of data. A 
signature analysis or pattern matching algorithm is used 
upon the packets, wherein the packets are compared to 
"attack signatures", or signatures of known policy violations 
or patterns of misuse. 

In order to properly detect policy violations and patterns 
of misuse, security products often must place the packets of 
data in contexts relevant to such connection criteria as space, 35 
time, and event. Space is usually defined in terms of a 
source-destination connection at the port level. Time is 
defined as the amount of time to continue associating 
packets for the type of connection defined by the source- 
destination connection. Event is defined as a type of 4Q 
connection, which in turn defines the types of policy and 
misuse signatures that can occur with each packet. As the 
size of a network expands, there are greater numbers of 
connections which leads to greater numbers of lookups and 
comparisons that must be performed by the security product. 45 

Two problems .are associated with conventional security 
products. First, conventional security products have insuf- 
ficient information to self-configure for reliable detection of 
policy violations and patterns of misuse. For example, 
conventional security products have no mechanism to reli- 50 
ably ascertain network information of the network to which 
the security product is coupled. This leads to such disad- 
vantages such as being unable to accurately predict the effect 
of a particular packet upon a destination device. 
Furthermore, a conventional security product has no mecha- 55 
nism to, ascertain the network topology and thus cannot 
predict if a certain packet will reach its intended destination. 
Such a lack of network information compromises the secu- 
rity product's ability to detect such attacks such as insertion 
attacks, evasion attacks and denial of service attacks. Some go 
of these problems with conventional security products are 
documented by Ptacek and Newsham, Insertion, Evasion, 
and Denial of Service: Eluding Network Intrusion 
Detection, Secure Networks Incorporated, January 1998. 

A second problem associated with conventional security 65 
products is the result of scarcity of processor and memory 
resources. Conventional security products may begin to drop 
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packets and shut down certain tasks in an unpredictable 
fashion once the system depletes its memory or processor 
resources. As the si2e of a network grows, such a failure 
becomes more likely, as the greater the number of connec- 
tions onto the network requires a greater number of lookups 
and comparisons performed by the Security product. 
Additionally, an increase in number and complexity of the 
types of misuse the security product is required to detect can 
fiirther degrade performance. An increase in traffic flow 
further drains a security product's resources. As a result, 
conventional ID systems cannot operate effectively at high 
network bandwidth utilization. 

Some conventional systems have attempted to achieve 
performance gains by decreasing the number of misuse 
signatures the security product monitors. Fewer signatures 
translate into fewer memory comparisons for each packet 
that flows through the security product. However, such a 
solution makes a network more vulnerable to attacks. 

Other conventional systems rely on the user to enumerate 
the network information, such as the types of operating 
systems and applications running on the protected network. 
These systems then disable certain misuse signatures 
accordingly. 

Such a conventional solution, however, introduces addi- 
tional problems. For example, if the user provides an inac- 
curate assessment of the network, then incorrect signatures 
may be disabled, meaning that undetected policy violations 
and network attacks are possible. Additionally, networks are 
rarely stable environments and the addition or deletion of 
devices or services can make the original network informa- 
tion supplied by the user inaccurate. 

A further disadvantage of such conventional security 
products is that they are not designed to function in an 
environment wherein the traffic exceeds their memory or 
processor capacity. Such conventional systems, when con- 
fronted with traffic that exceeds their capacity, may start 
dropping packets and degrade performance in an unpredict- 
able fashion. This can lead to an unknown security posture 
or profile, which can leave a network more vulnerable to 
undetected attacks. 

SUMMARY OF THE INVENTION 

In accordance with the present invention, a method and 
system for adaptive network security using network vulner- 
ability assessment is disclosed that provides significant 
advantages over conventional intrusion detection systems. 
According to one aspect of the present invention, a method 
for adaptive network security comprises directing a request 
onto a network. A response to the request is assessed to 
discover network information. A plurality of analysis tasks 
are prioritized based upon the network information. The 
plurality of analysis tasks are to be performed on monitored 
network data traffic in order to identify attacks upon the 
network. 

According to another aspect of the present invention, a 
system for adaptive network security comprises a scan 
engine coupled to a network. The scan engine can direct a 
request onto a network and assess a response to the request 
to discover network information. A protocol engine is also 
coupled to the network. The protocol engine performs a 
plurality of protocol analyses on network data traffic to 
identify attacks upon the network. A signature engine is 
coupled to the network and compares the network data traffic 
to a plurality of attack signatures to identify attacks upon the 
network. Apriority engine is coupled to the analysis engine, 
the protocol engine, and the signature engine. The priority 
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engine prioritizes the plurality of protocol analyses and the or a query process 3. Active process 2 can include port scans, 

plurality of attack signatures based upon the network infor- pinging, and other active methods performed on devices 

mation. coupled to the network, as well as monitoring responses 

According to another embodiment of the present (such as bamers) sent in response to such active methods, 

invention, the priority engine can prioritize a plurality of 5 One such active process is the basis of the present invention 

. . j / i r t - and is described below. Query process 3 can comprise 

system services based upon the network information. * j • • • u • «u 

J v sending a query to a domain mapping service, wherein the 

It is a technical advantage of the present invention that it domain mapping service maintains a compilation of network 

can more reliably detect policy violations and patterns of information. The domain mapping service can respond to 

misuse because of the use of the network information. such a request by sending the network information to a 

It is another technical advantage of the present invention 10 source of the request. Such a query system is described in.the 

that it allows for the maintenance of a network map, which present invention, as well as described in U.S. patent appli- 

can allow for greater types of misuse patterns to be detected. cation Ser. No. 09/223,072, entitled "Domain Mapping 

It is a further technical advantage of the present invention Mcthod aDd S y stcm "> filcd Dec - 29 > 1998 > Pag- 
inal it allows for a reliable, predictable, and prioritized 35 The third alternative to acquire network information is 
shutdown of analysis tasks in the event resources are passive process 4. Passive process 4 allows a security device 
depleted using the present invention to acquire network information 

It is another technical advantage of the present invention withom P lacin 8 additional traffic on the network. One such 

that effective intrusion detection can be had at network P^ sjve P™ 0 ? 58 » an intelligent packet analysis. A method 

speeds above 50 to 60 Mbps. 20 ^d system for adapUve network security using in eUigent 

r . , .... , . . packet analysis is described more fully m the related U.S. 

It is another technical advantage that the present invention application Ser . No . 09/223,072, entitled "Method and Sys- 

provides for adaptive network security, as the invention can tem for Ad tiv6 Nctwork Sccurit Usi Intelligent Packet 

adapt to a changing network environment and recalibrate in Analysis " filed Dec 29 1998 

order to maintain a sufficient level of network security. Qnce ; etwork MoTm l xion is acquired, an analysis at step 

Other technical advantages should be apparent to one of 5 is performed. For example, a network map 6 can be created 

ordinary skill in the art in view of the specification, claims, t0 comp ii e me network information. At step 7, a priority task 

and drawings. ^ performed using the analysis of the network information 

BRIEF DESCRIPTION OF THE DRAWINGS al ste P 5 fl For e .f "P 1 *' an L D ^f™ usin S f uc , h * n ? thc * 

30 can configure itself to perform high priority tasks based 

A more complete understanding of the present invention upon potential vulnerabilities of the network, as identified 

and advantages thereof may be acquired by referring to the by the analysis at step 15. 

following description taken in conjunction with the accom- The performance of steps 1, 5, and 7 can occur in one or 

panying drawings, in which like reference numbers indicate more devices coupled to a network. For example, processes 

like features, and wherein: 35 performing such tasks could be distributed among several 

FIG. 1 is a flow diagram of various embodiments of a devices in order to preserve processing resources, 

method of operation of a system for adaptive network Alternatively, the processes performing such tasks could be 

security; integrated into a single device, such as an ID system, router, 

FIG. 2 is a block diagram of one embodiment of a network or fi rewa ll- 

environment that includes a system for adaptive network 40 FIG. 2 is a block diagram of one embodiment of a network 

security network vulnerability assessment according to the environment that includes a system for adaptive network 

present invention; security using network vulnerability assessment according 

FIG. 3 is a block diagram showing configuration data of t0 the P resent invention As shown, the network environment 

one embodiment of a network that includes a system for can «> m P™> devic f s that form " internal n< ; twork ' P ro * c - 

adaptive network security using network vulnerability 45 tion for the internal network, and an external network. The 

assessment- internal network, indicated generally at 10, can comprise a 

. . ' a r , A - , « plurality of workstations 12 coupled to a network backbone 

HG. 4 is a flow diagram ofone embodiment of a method u Network backboDe 14 can comprise , for examplef an 

for adaptive network security using network vulnerability £{h ^ ^ r[ 0f othef of network back . 

assessment according to the present invention; and 5q bone Protection for network 10 be provided by 

FIGS. 5A, 5B, and 5C are block diagrams of embodiment firewall 16 and a router 18 which are coupled to network 

of a prioritized task list, a prioritized attack signature list, backbone 14. Router 18 serves as a gateway between 

and a prioritized system services list, respectively. internal network 10 and an external network 30. External 

DETAILED DESCRIPTION OF THE network 30 can be, for example, the Internet or other public 

INVENTION 55 nctwor ^- Firewall 16 can serve to limit external access to 

resources in internal network 10 and protect these internal 

FIG. 1 is a flow diagram of various embodiments of a resources from unauthorized use. 

method of operation of a system for adaptive network Internal network 10 further comprises network security 

security. An ID System is one such security system that system 20 coupled to network backbone 14. Network secu- 

could benefit from the adaptive network security system of 60 rity S y Ste m 20 comprises a scan engine 22 and a protocol 

the present invention. engine 24 coupled to network backbone 14. A signature 

In the method of FIG. 1, network information is acquired engine 26 is coupled to protocol engine 24. Scan engine 22 

at step 1. Network information can comprise, for example, is further coupled to network map 28. Signature engine 26 

the devices, operating systems, and services available on a is coupled to attack signatures 30. A priority engine 32 is 

network. 65 coupled to network map 28, protocol engine 24 and signa- 

In the embodiments of FIG. 1, such network information hire engine 26. Protocol engine 24 and signature engine 26 

can be gathered by an active process 2, a passive process 4, each also couple a storage 36. 
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In the embodiment of FIG. 2, network security system 20 U.S. patent application Ser. No. 09/107,964, entitled "Sys- 
is coupled directly to network backbone 14 "inside" internal tern and Method for Rules- Driven Multi-Phase Network 
network 10. Such a configuration is typical, for example, of Vulnerability Assessment," filed Jun. 30, 1998, the disclo- 
an intrusion detection system. However, those skilled in the sure of which is herein incorporated by reference, 
art will recognize that network security system 20 can be 5 Scan engine 22 can further create a network map 28 which 
coupled to a network in other configurations. For example, can include such network information discovered by scan . 
network security system 20 could be incorporated into engine 22. Network map can comprise, for example, a 
another device located on internal network 10, such as multi-dimensional database with a real-time data insertion, 
firewall 16 or router 18. Alternatively, as further shown in as described in U.S. patent application Ser. No. 09/107,790, 
FIG. 2, network security system 20 could be coupled outside entitled "System and Method for Real-Time Insertion of 
internal network 10, such as between firewall 16 and router Data Into a Multi- Dimensional Database for Network Intro - 
18, or outside router 18. It should be understood that sion Detection and Vulnerability Assessment," filed Jun. 30, 
different placement of network security product will affect 1998, pending, the disclosure of which is incorporated 
the its operation, as different placement exposes network herein by reference. 

security product 20 to different traffic on the network. In an alternate embodiment, scan engine 22 sends a 

Network security system 20 can comprise, for example, request to a domain mapping service 39. Domain mapping 

software code executing on a computing device such as a service 39 maintains a network map 41, the network map 

SUN or INTEL based workstation. Network map 28 and comprising a compilation of network information. Domain 

attack signatures 30 can comprise data stored in memory or mapping service 39 responds to such a request by sending 

fixed storage on the workstation or other device in which 20 » he network information to scan engine 22. Such a domain 

network security system 20 resides. Storage 36 can comprise mapping service can include, for example, the system 

memory or fixed storage that is the same as or separate from described in U.S. patent application Ser. No. 09/233,072, 

the memory upon which network map 28 and/or attack entitled "Domain Mapping Method and System", filed Dec. 

signatures 30 reside. Alternatively, some or all of storage 36 29 » 1998 > pending. 

and the data that comprises network map 28 and attack 25 Further in operation, protocol engine 24 performs a plu- 

signatures 30 could reside in fixed storage remote from the rality of protocol analyses upon monitored traffic on network 

location of network security system 20. Similarly, scan backbone 14 in order to detect attacks upon the network, 

engine 22 could comprise software code executing remotely Attacks upon the network, as mentioned above, are defined 

from the device upon which network security system 20 herein to include unauthorized accesses, policy violations, 

resides. One example of such an alternate configuration, for 30 and patterns of misuse. Protocol engine 24 can perform, for 

example, is shown in FIG. 2 as a domain mapping system 39 example, the following protocol analyses upon monitored 

and network map 41. traffic on network backbone 14: checksum verification (IP, 

In operation, devices such as workstations 12 can com- TCP, UDP, ICMP, etc.), IP fragment reassembly, TCP stream 

municate over network backbone 14. Workstations 12 can reassembly, protocol verification (such as insuring the IP 

further communicate with external network 30 via network 35 header length is correct and the TCP data gram is not 

backbone 14 and router 18. As mentioned above, firewall 16 truncated), and timeout calculations, 

is intended to prevent unauthorized access from external Signature engine 26 is coupled to protocol engine 24 and 

network 30 to devices coupled to internal network 10. can perform further analysis tasks in order to detect attacks 

However, firewall 16 may not capable of preventing all upon network backbone 14. Signature engine 26 compares 

unauthorized access. As used with respect to this 40 monitored traffic with attack signatures 30. Attack signatures 

application, "attack" is used to describe any type of unau- 30 can comprise, for example, a rules-based hierarchy of 

thorized access, policy violation, or pattern of misuse. traffic signatures of known policy violations. Signature 

Further in operation, network security system 20 is oper- engine 26 can compare packets from the network traffic with 

able detect attacks upon internal network 10. Network such attack signatures 30 such that policy violations can be 

security system 20 accomplishes this by monitoring traffic 45 discovered. 

on network backbone 14 and performing analysis tasks upon Additionally, priority engine 32 prioritizes system ser- 

the monitored traffic in the context of network information vices performed by network security system 20. Such sys- 

discovered from internal network 10. In the embodiment of tem services could include, for example, IP logging, traffic 

FIG. 1, scan engine 22 gathers the network information, logging, alarm notifications, and communications, among 

while protocol engine 24 and signature engine 26 perform so others. 

the analysis tasks upon the monitored traffic. Further in operation, priority engine 32 uses the network 
Scan engine 22 can direct requests upon the network and information maintained in network map 28 to prioritize the 
assess responses to such requests to discover network infor- analysis tasks performed by the protocol engine 24 and the 
mation. In one embodiment, scan engine 22 scans devices on signature engine 26. For example, priority engine 32 could 
internal network, such as workstations 12. For example, 55 determine a likelihood of success of a particular attack upon 
scan engine 22 could ping devices on internal network 10 the network based upon the network information. Priority 
and then perform port scans on each device. Banners from engine 32 could then prioritize the protocol analysis per- 
the port scans could be collected and analyzed to discover formed by protocol engine 24 that is intended to detect that 
network information. Such network information could com- particular attack. Likewise, priority engine 32 could priori- 
prise the devices coupled to internal network 10, the oper- 60 tize the attack signatures 30 based upon the network infor- 
ating systems running on such devices, and the services mation in network map 28 according to the likelihood of 
available on each device. Additionally, in the embodiment of success of each attack associated with each attack signature 
FIG. 1, scan engine 22 is operable to analyze the network 30. In one embodiment, priority engine 32 could compile a 
information to identify potential vulnerabilities of internal prioritized task list comprising a list of all such analysis 
network 10, and confirm these potential vulnerabilities. For 65 tasks, ranked by an assigned priority to each task, 
example, scan engine 22 could perform a rules-driven multi- Additionally, priority engine 32 prioritizes system ser- 
phase network vulnerability assessment such as described in vices performed by network security system 20. 
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Further in operation, priority engine 32 can monitor a 
memory utilization of memory resources and a processor 
utilization of processor resources. If the processor utilization 
exceeds a first defined threshold, priority engine 32 disables 
an analysis task. As used herein, analysis task could com- $ 
prise either a protocol analysis performed by protocol engine 
24 or a particular attack signature 30 as used by signature 
engine 26. Priority engine 32 can make the disable decision 
based upon an assigned priority of each task, as discussed 
previously. Then, as processor utilization dropped below a 
second defined threshold, priority engine 32 could reenable 
the a disabled analysis task. Similarly, priority engine 32 
could disable a particular analysis task or service if memory 
utilization exceeded a third defined threshold, or reenable a . 
disabled analysis task if memory utilization drops below a 
fourth defined threshold. 15 

The results of the protocol analysis provided by protocol 
engine 24 and signature analysis provided by signature 
engine 26 are recorded in storage 36. The results could then 
be made available, for example, to another process or a ^ 
system administrator. 

Network security system 20 is adaptive because it can 
configure or reconfigure by prioritizing the protocol 
analysis, the attack signatures, or system services according 
to changes in network information. 25 

FIG. 3 is a block diagram showing network information 
of one embodiment of a network that includes a system for 
adaptive network security using network vulnerability 
assessment. This diagram also shows the dimensionality of 
a network and its devices in terms of device types 70, 30 
operating systems 74, services 78 and potential vulnerabili- 
ties 80. Such dimensionality, for example, could comprise 
the' network information discovered by network security 
system 20 and stored in an associated network map. Internal 
network 10 of FIG. 2 comprises numerous devices, includ- 35 
ing router 18, firewall 16, web server 50, workstations 52, 
56, 60 and 62, file server 54, printer 64, and terminal server 
58. Each of these devices is coupled to network backbone 
14. Similar to FIG. 1, network security system 20 is coupled 
to network backbone 14. 40 

In operation, as discussed with respect to FIG. 2, network 
security system 20 through scan engine 22 sends requests 
upon network backbone 14 and analyzes responses to such 
requests to discover network information of internal network 
10. Scan engine 22 can ping devices, use port scans, and 45 
other methods, and/or a rules-driven, multi-phase network 
vulnerability assessment process to discover network infor- 
mation such as devices, operating systems, and services on 
internal network 10. By executing such processes, network 
security system 20 can identify the network information of 50 
internal network 10 and uncover the various dimensions 
within internal network 10. For example, the embodiment of 
FIG. 3, network security system 20 can identify the device 
type 70 of each device or system coupled to internal network 
10. Network security system 20 can further identify the 55 
operating system 74 of each device and the services 78 
available on each device. Additionally, the network security 
system 20 of FIG. 2 can make an assessment of potential 
vulnerabilities 80 associated with each device on internal 
network 10. 60 

All such data can be incorporated into network map 28. 
Priority engine 32, further as discussed with respect to FIG. 
2, can use the information in network map 28 to prioritize 
the analysis tasks to be performed on monitored traffic by 
protocol engine 24 and signature engine 26. 65 

FIG. 4 is a flow diagram of one embodiment of a method 
for adaptive network security using oetwork vulnerability 
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assessment according to the present invention. At step 100, 
devices coupled to a network are determined. Such a step 
could be accomplished, for example, by pinging devices 
coupled to a network. At step 102, operating systems asso- 
ciated with the devices discovered at step 100 are 
determined, and at step 104, the services associated with 
devices coupled to the network are determined. Such steps 
could be executed, for example, by executing port scans on 
the discovered devices, and collecting and analyzing the 
banners sent in response to the port scans. At step 106, 
potential vulnerabilities associated with devices coupled to 
the network are determined. For example, this step could 
comprise a rules-based comparison between the discovered 
configuration data, and known problems associated with 
such configurations. In step 108, the potential vulnerabilities 
discovered in step 106 are confirmed, for example by 
executing active exploits on the network against the poten- 
tial vulnerabilities. Steps 100, 102, 104, 106, and 108 can 
comprise, as discussed above, a rules-driven multi-phase 
network vulnerability assessment as described in U.S. patent 
application Ser. No. 09/107,964. At step 110, the discovered 
network information is used to create and maintain a net- 
work map. 

In an alternate embodiment, some or all of steps 100, 102, 
104, 106, 108, and 110 can be replaced by querying a 
domain mapping service, as described with respect to FIG. 
2, and receiving the required network information. 

At step 112, a probable success of a particular attack upon 
the network is determined. In order to make such a 
determination, the network information stored in the net- 
work map can be applied to both protocol analysis 111 and 
attack signatures 113. For example, protocol analysis can 
comprise checksum verification, protocol verification, IP 
fragment reassembly, and TCP stream reassembly, as dis- 
cussed above. Each of the above protocol analyses can be 
intended to discover a particular type of attack. Depending 
upon the network information stored in the network map, it 
can be determined whether or not an attack that is discovered 
by such a protocol analysis has a certain probability of 
success. Likewise, each of the attack signatures at 113 are 
designed to detect a particular type of attack upon the 
network. The network information contained in network 
map can assist in determining the probability of success of 
each potential attack as defined by its associated attack 
signature. 

At step 114, the analysis tasks are and system services are 
prioritized. The protocol analyses 111 and attack signatures 
113 are assigned a priority based upon the determined 
probability of success performed at step 112. System ser- 
vices 115 are prioritized based upon a level of criticality of 
each services as can be determined from the network infor- 
mation. At step 116, monitoring is performed. The monitor- 
ing is performed to discover both a memory utilization of 
memory resources at step 117 and a processor utilization of 
processor resources at step 119 and an overall system 
bandwidth 121. System bandwidth 121 might be particularly 
affected under a denial of service attack, for example. 

At step 120, an enable/disable function is performed. For 
example, if the processor utilization has exceeded a particu- 
lar threshold, for example 90%, a particular analysis task 
(either a protocol analysis 111 or a particular attack signature 
113) can be disabled. Alternatively or additionally, a par- 
ticular system service 115 may be disabled. This particular 
analysis task can be reenabled if the processor utilization 
drops below a second defined threshold, for example 85%. 
Similarly, if the memory utilization exceeds a third defined 
threshold, a particular analysis task can be disabled. If the 
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memory utilization subsequently drops below a fourth tutions and alterations can be made thereto without depart- 

defined threshold, the particular analysis task can be reen- ing from the spirit and scope of the invention as defined by 

abled. the appended claims. 

By enabling or disabling system services 115 at step 120, What is claimed is: 

the security system implementing such functionality can 5 1 A method for adaptive network security comprising: 

adapt to a changing network environment. The system directing, by a device coupled to a network, a request onto 

services that a security system performs can be referred to as the network; 

a configuration of the security system. As the network assessing a response to the request to discover network 

information drives the services performed by the security information associated with determining at least one 

system, the security system is able to configure and recon- 10 potential network vulnerability; and 

figure itself as the network dynamics dictate. prioritizing a plurality of analysis tasks based upon the 

At step 124 it ^ determined if the scanning steps should nelwork informali the luralily of analysis ^ t0 

be repeated If so, the me hod returns to step 100 to ob ain bc formcd on network data Uaffic which is moni . 

updated network information, and the method is repeated. r , • . Mo „ t ;r„ ott ,„ir<. ,^ ™u™rv 

By obtaining updated network information, and then Vepeat- < , in ™* er l ° lde ntlf ? attacks upon the network 

ing the prioritizing steps using the updated network 15 2 * mcthod of d™. 1 - ^ b f rcm thc SC P 

information, the method can adapt to a changing network comprises scanning a plurality of devices on the network, 

environment ^* ^ e mctn °d of claim 1, further comprising disabling a 

FIGS. SA, 5B, and 5C are block diagrams of embodi- Pf rticular task based upon an assigned priority of 

ments of a prioritized task list, a prioritized attack signature _ the particular analysis task. 

v , j • j * * v * * * 1 t 4. The method of claim 3, further comprising: 

list, and a prioritized system services list, respectively. In > r & 

FIG. 5A, a prioritized task list, indicated at 144, comprises monitoring a processor utilization; and 

a plurality of analysis tasks 148. Prioritized task list 144 performing the disabling step if the processor utilization 

includes both types of analysis tasks: protocol analyses and exceeds a first defined threshold., 

signature analysis 150. The analysis tasks, as discussed 5. The method of claim 4, further comprising re -enabling 

above, are intended to identify particular attacks upon the the particular analysis task if the processor utilization drops 

network and can include both protocol analysis and com- below a second defined threshold, 

parisons between network traffic and known attack signa- The method of claim 3, further comprising: 

tures. In the embodiment of FIG. 5A, the analysis tasks have monitoring memory utilization; and 

been prioritized from the least important (TCP checksum) to 3Q performing the disabling step if the memory utilization 

the most important (signature analysis 150), according to the exceeds a third defined threshold, 

network information of a particular network. 7. The method of claim 6, further comprising re-enabling 

FIG. 5B is a prioritized attack signature list 150, and FIG. the particular analysis task if the memory utilization drops 

5C is a prioritized system services list 152. Similar to below a fourth defined threshold. 

prioritized task list 144, prioritized attack signature list 150 35 8. The method of claim 1, wherein the prioritizing step 

and prioritized system services list 152 are created based comprises: 

upon network information gathered from a network that the determining a probable success of a particular attack upon 

security system is coupled to. the network based upon the network information; and 

For example, the priority engine .32 (FIG. 2) may con- assigning a priority to the particular analysis task intended 

struct prioritized task list 144. Then, if memory or processor 40 to detect the particular attack. 

resources are depleted, the priority engine can disable cer- 9. The method of claim 1, wherein network information 

tain analysis tasks 148, beginning with the least important, comprises: 

until the memory or processor utilization is at a safe oper- devices coupled to the network; 

ating threshold. It should be understood, however, that the operating systems running on the devices; and 

present invention contemplates that in some circumstances, 45 services available on the devices. 

analysis tasks could be disabled or re-enabled "out of order", 10 ^ metno d of claim 9, further comprising identifying 

that is, not according to an assigned priority. Such could potential vulnerabilities of a device coupled to the network 

occur, for example, upon a user intervention or upon the based upon the networ k information. 

presentation of a particular attack. For example, if an 11. The method of claim 10, further comprising confirm- 

attacker launches an IP fragment DOS attack against the 50 ing an identified potential vulnerability through an active 

network security system, the system should detect the attack exploit of the potent i a i vulnerability. 

through the IP fragment reassembly analysis task. The 12. The method of claim 1, further comprising maintain- 

system then may disable IP fragment reassembly for some or ing the network information in a network map. 

all other fragments and issue an alarm about the attack. 13 The me thod of claim 1, wherein the plurality of 

Further in operation, once it is determined that an attack 55 analysis tasks includes checksum verification, 

signature must be disabled, as shown in FIG. 5B, low 14, The method of claim 1, wherein the plurality of 

priority attack signatures can bc disabled before higher analysis tasks includes IP fragment reassembly, 

priority attack signatures. Additionally, as shown in FIG. 5C, 15, ^e method of claim 1, wherein the plurality of 

system services prioritized and disabled accordingly. analysis tasks include TCP stream reassembly. 

The present invention further contemplates that in some 60 16. The method of claim 1, wherein the plurality of 

instances it may be desirous to disable certain tasks regard- analysis tasks includes timeout calculations, 

less of memory or processor utilization. Such an instance 17. The method of claim 1, wherein the plurality of 

could occur, for example, if a user wished to disable all analysis tasks includes a plurality of comparisons between 

attack signatures made irrelevant by the network informa- the monitored network data traffic and a plurality of attack 

tion discovered on the network. 65 signatures. 

Although the present invention has been described in 18. The method of claim 17, further comprising disabling 

detail, it should be understood that various changes, substi- a particular attack signature. 
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19. The method of claim 1, further comprising: 
repeating the directing step to obtain updated network 

information; and 
repeating the prioritizing step using the updated network 
information. 

20. The method of claim 1, wherein the directing step 
comprises sending a query to a domain mapping service, 
wherein the domain mapping service maintains a compila- 
tion of network information, and further wherein the domain 
mapping service is operable to respond to such a request by 
sending the network information to a source of the request. 

21. The method of claim 1, further comprising: 
prioritizing a plurality of system services based upon the 

network information; and 
disabling a particular system service based upon an 
assigned priority of the particular system service. 

22. The method of claim 1, wherein the device comprises 
a scan engine. 

23. The method of claim 1, wherein the device comprises 
a network security device. 

24. A method for adaptive network security comprising: 
directing, by a device coupled to a network, a request onto 

the network; 

assessing a response to the request to discover network 
information associated with determining at least one 
potential network vulnerability; 

prioritizing a plurality of protocol analyses to be per- 
formed on network data traffic which is monitored, the 
protocol analyses for identifying attacks upon the net- 
work; 

monitoring a processor utilization of processor resources; 
monitoring memory utilization of memory resources; 
disabling a particular protocol analysis based upon an 

assigned priority if the processor utilization exceeds a 

first defined threshold; and 
disabling a particular protocol analysis based upon an 

assigned priority if the memory utilization exceeds a 

third defined threshold. 

25. The method of claim 24, wherein the network infor- 
mation comprises: 

devices coupled to the network; 

operating systems running on the devices; and 

services available on the devices. 

26. The method of claim 25, further comprising confirm- 
ing each identified potential vulnerability. 

27. The method of claim 24, wherein the directing step 
comprises scanning a plurality of devices on the network. 

28. The method of claim 24, further comprising identi- 
fying potential vulnerabilities of devices coupled to the 
network. 

29. The method of claim 24, further comprising 
re-enabling the particular analysis task if the processor 
utilization drops below a second defined threshold. 

30. The method of claim 24, further comprising 
re-enabling the particular analysis task if the memory utili- 
zation drops below a fourth defined threshold. 

. 31. The method of claim 24, wherein the plurality of 
protocol analyses includes checksum verification. 

32. The method of claim 24, wherein the plurality of 
protocol analyses includes IP fragment reassembly. 

33. The method of claim 24, wherein the plurality of 
protocol analyses includes TCP stream reassembly. 

34. The method of claim 24, wherein the plurality of 
protocol analyses includes timeout calculations. 
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35. The method of claim 24, further comprising: 
repeating the directing step to obtain updated network 

information; and 
repeating the prioritizing step using the updated network 
5 information. 

36. The method of claim 24, wherein the directing step 
comprises sending a query to a domain mapping service, 
wherein the domain mapping service maintains a compila- 
tion of network information, and further wherein the domain 

10 mapping service is operable to respond to such a request by 
sending the network information to a source of the request. 

37. The method of claim 24, further comprising: 
prioritizing a plurality of system services based upon the 

network information; and 

15 

disabling a particular system service based upon an 
assigned priority of the particular system service. 

38. The method of claim 24, wherein the device comprises 
a scan engine. 

2Q 39. A method for adaptive network security comprising: 
directing, by a device coupled to a network, a request onto 
the network; 

assessing a response to the request to discover network 

information associated with determining at least one 
25 potential network vulnerability; 

prioritizing a plurality of comparisons between network 

data traffic which is monitored and a plurality of attack 

signatures, the attack signatures for identifying attacks 

upon the network; 
30 monitoring a processor utilization of processor resources; 
monitoring memory utilization of memory resources; 
disabling a particular attack signature based upon an 

assigned priority if the processor utilization exceeds a 
35 first defined threshold; and 

disabling a particular attack signature based upon an 

assigned priority if the memory utilization exceeds a 

third defined threshold. 

40. The method of claim 39, further comprising identi- 
4Q fying potential vulnerabilities of devices coupled to the 

network. 

41. The method of claim 39, further comprising confirm- 
ing an identified potential vulnerability. 

42. The method of claim 39, further comprising 
45 re -enabling the particular attack signature if the processor 

utilization drops below a second defined threshold. 

43. The method of claim 39, further comprising 
re-enabling the particular attack signature if the memory 
utilization drops below a fourth defined threshold. 

5Q 44. The method of claim 39, further comprising main- 
taining the network information in a network map. 

45. The method of claim 39, further comprising: 
repeating the directing step to obtain updated network 

information; and 
55 repeating the prioritizing step using the updated network 
information. 

46. The method of claim 39, wherein the directing step 
comprises sending a query to a domain mapping service, 
wherein the domain mapping service maintains a compila- 

60 tion of network information, and further wherein the domain 
mapping service is operable to respond to such a request by 
sending the network information to a source of the request. 

47. The method of claim 39, further comprising: 
prioritizing a plurality of system services based upon the 

65 network information; and 

disabling a particular system service based upon an 
assigned priority of the particular system service. 
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48. The method of claim 39, wherein the directing step 61. The system of claim 52, further comprising: 
comprises scanning a plurality of devices on the network. a domain mapping service, coupled to the network, 

49. The method of claim 39, wherein the prioritizing step wherein the domain mapping service maintains a com- 
compnses: pilation of network information, and further wherein 

determining a likelihood of success of a potential attack 5 the domain mapping service is operable to respond to 

based upon the network information; and a request from the scan engine by sending the network 

prioritizing an attack signature of the potential attack information to a source of the request. 

according to the determined likelihood of success. ' 62. The system of claim 52, wherein the priority engine is 

50. The method of claim 39, wherein network information further operable to: 

comprises: 10 monitor a processor utilization; and 

devices coupled to the network; disable the particular analysis task if the processor utili- 

operating systems running on the devices; and zation exceeds a first defined threshold, 

services available on the devices. 63. The system of claim 52, wherein the priority engine is 

51. The method of claim 39, wherein the device comprises 15 further operable to: 

a scan engine. monitor a processor utilization; and 

52. A system for adaptive network security comprising: disable the particular analysis task if the processor utili- 
a scan engine coupled to a network, the scan engine for zation exceeds a first defined threshold. 

directing a request onto a network and assessing a 64. The system of claim 62, wherein the priority engine is 

response to the request to discover network information 20 further operable to re-enable the particular analysis task if 

associated with determining at least one potential net- the processor utilization drops below a second defined 

work vulnerability; and threshold, 

a protocol engine coupled to the network, the protocol 65. The system of claim 52, wherein the priority engine is 

engine for performing a plurality of protocol analyses further operable to: 

on network data traffic to identify attacks upon the 25 monitor memory utilization; and 

network; disable the particular analysis task if the memory utiliza- 

a signature engine coupled to the network, the signature tion exceeds a third denned threshold. 

engine for comparing the network data traffic to a 66. A system for adaptive network security comprising: 

plurality of attack signatures to identify attacks upon software embodied in system-readable storage and oper- 

the network; and 30 a bj e t o: 

a priority engine coupled to the analysis engine, the direct, by a device coupled to a network, a request onto 

protocol engine, and the signature engine, the priority the network; 

engine for prioritizing the plurality of protocol analyses assess a response to the request to discover network 

and the plurality of attack signatures based upon the information associated with determining at least one 

network information. 35 potential network vulnerability; and 

53. The system of claim 52, wherein the scan engine is prioritize a plurality of analysis tasks based upon the 
operable to scan a plurality of devices on the network. network information, the plurality of analysis tasks 

54. The system of claim 52, wherein the priority engine is to be performed on network data traffic which is 
operable to disable a particular analysis task based upon an monitored in order to identify attacks upon the 
assigned priority of the particular analysis task. 40 network. 

55. The system of claim 54, wherein the priority engine is 67. The system of claim 66, wherein the software is 
further operable to re -enable the particular analysis task if further operable to scan a plurality of devices on the net- 
the memory utilization drops below a fourth defined thresh- work. 

old. 68. The system of claim 66, wherein the software is 

56. The system of claim 52, wherein the priority module 45 further operable to disable a particular analysis task based 
is further operable to: upon an assigned priority of the particular analysis task. 

determine a probable success of a particular attack upon 69. The system of claim 68, wherein the software is 

the network based upon the network information; and further operable to: 

assign a priority to the particular analysis task intended to 5Q monitor a processor utilization; and 

detect the particular attack. perform the disabling step if the processor utilization 

57. The system of claim 52, wherein the network infer- exceeds a first defined threshold. 

mation comprises: 70. The system of claim 69, wherein the software is 

a device coupled to the network; further operable to re -enable the particular analysis task if 

an operating systems running on the device; and 55 the processor utilization drops below a second defined 

a service available on the devices. threshold. 

58. The system of claim 57 wherein the network infer- 71. The system of claim 68, wherein the software is 
mation further comprises a potential vulnerability of the further operable to: 

device. monitor memory utilization; and 

59. The system of claim 58, wherein the scan engine is 60 perform the disabling step if the memory utilization 
further operable to confirm an identified potential vulner- exceeds a third defined threshold. 

ability through an active exploit of the potential vulnerabil- 72. The system of claim 71, wherein the software is 

ity- further operable to re-enable the particular analysis task if 

60. The system of claim 52, further comprising a network the memory utilization drops below a fourth defined thresh- 
map coupled to the scan engine and the priority engine; 55 old. 

wherein the scan engine is operable to maintain the 73. The system of claim 66, wherein the software is 

network information in the network map. further operable to: 
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determine a probable success of a particular attack upon monitor a processor utilization of processor resources; 

the network based upon the network information; and monitor memory utilization of memory resources; 

assign a priority to the particular analysis task intended to disable a particular protocol analysis based upon an 

detect the particular attack. assigned priority if the processor utilization exceeds 

74. The system of claim 66, wherein network information 5 a first defined threshold; and 

comprises: disable a particular protocol analysis based upon an 

devices coupled to the network; assigned priority if the memory utilization exceeds a 

operating systems running on the devices; and M third defined threshold w 

services available on the devices. fi *?" ™ e s ^ tera of claim 1 ««{ wherein the software is 

75. The system of claim 74, wherein the software is 10 furt ^ er °P erable t0 ^ a plurallty of dcviCCS on the nct " 
further operable to identify potential vulnerabilities of a W0 „« ™ A , . . 00 , . , 4 . . c 
device coupled to the network based upon the network 9 # °" ™ e s y stem of claim 88 ' wherem ^ network Pr- 
eformation ma J don comprises: 

76. The system of claim 75, wherem the software is devices coupled to the network; 

further operable to confirm an identified potential vulner- 15 operating systems running on the devices; and 

ability through an active exploit of the potential vulnerabil- services available on the devices. 

ity. 91. The system of claim 90, wherein the software is 

77. The system of claim 66, wherein the software is further operable to confirm each identified potential vulner- 
further operable to maintain the network information in a ability. 

network map. 92. The system of claim 88, wherein the software is 

78. The system of claim 66, wherein the plurality of further operable to identify potential vulnerabilities of 
analysis tasks includes checksum verification. devices coupled to the network. 

79. The system of claim 66, wherein the plurality of 93. The system of claim 88, wherein the software is 
analysis tasks includes IP fragment reassembly. further operable to re -enable the particular analysis task if 

80. The system of claim 66, wherein the plurality of the processor utilization drops below a second defined 
analysis tasks include TCP stream reassembly. threshold. 

81. The system of claim 66, wherein the plurality of 94. The system of claim 88, wherein the software is 
analysis tasks includes timeout calculations. further operable to re -enable the particular analysis task if 

82. The system of claim 66, wherein the plurality of the memory utilization drops below a fourth defined thresh- 
analysis tasks includes a plurality of comparisons between 3Q old. 

the monitored network data traffic and a plurality of attack 95. The system of claim 88, wherein the plurality of 

signatures. protocol analyses includes checksum verification. 

83. The system of claim 82, wherein the software is 96. The system of claim 88, wherein the plurality of 
further operable to disable a particular attack signature. protocol analyses includes IP fragment reassembly. 

84. The system of claim 66, wherein the software is ^ 97. The system of claim 88, wherein the plurality of 
further operable to: protocol analyses includes TCP stream reassembly. 

repeat the directing step to obtain updated network infor- 98. The system of claim 88, wherein the plurality of 

mation; and protocol analyses includes timeout calculations. 

repeat the prioritizing step using the updated network The s Y stem of claim 88 > wherein the software is 

information. 40 further operable to: 

85. The system of claim 66, wherein the software is repeat the directing step to obtain updated network infor- 
further operable to send a query to a domain mapping mation; and 

service, wherein the domain mapping service maintains a repeat the prioritizing step using the updated network 

compilation of network information, and further wherein the information. 

domain mapping service is operable to respond to such a 45 100. The system of claim 88, wherein the software is 

request by sending the network information to a source of further operable to send a query to a domain mapping 

the request. service, wherein the domain mapping service maintains a 

86. The system of claim 66, wherein the software is compilation of network information, and further wherein the 
further operable to: domain mapping service is operable to respond to such a 

prioritize a plurality of system services based upon the 50 request by sending the network information to a source of 

network information; and the request, 

disable a particular system service based upon an assigned 101. The system of claim 88, wherein the software is 

priority of the particular system service. furlher operable to: 

87. The system of claim 66, wherein the device comprises prioritize a plurality of system services based upon the 
a scan engine. 55 network information; and 

88. A system for adaptive network security comprising: disable a particular system service based upon an assigned 
software embodied in system-readable storage and oper- priority of the particular system service. 

able to: 102. The system of claim 88, wherein the device corn- 
direct, by a device coupled to a network, a request onto prises a scan engine. 

the network; 60 103. A system for adaptive network security comprising: 

assess a response to the request to discover network software embodied in system-readable storage and oper- 

information associated with determining at least one able to: 

potential network vulnerability; direct, by a device coupled to a network, a request onto 

prioritize a plurality of protocol analyses to be per- the network; 

formed on network data traffic which is monitored, 65 assess a response to the request to discover network 

the protocol analyses for identifying attacks upon the information associated with determining at least one 

network; potential network vulnerability; 
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prioritize a plurality of comparisons between network 
data traffic which is monitored and a plurality of 
attack signatures, the attack signatures for identify- 
ing attacks upon the network; 

monitor a processor utilization of processor resources; 5 

monitor memory utilization of memory resources; 

disable a particular attack signature based upon an 
assigned priority if the processor utilization exceeds 
a first defined threshold; and 

disable a particular attack signature based upon an 3Q 
assigned priority if the memory utilization exceeds a 
third defined threshold. 

104. The system of claim 103, wherein the software is 
further operable to scan a plurality of devices on the net- 
work. 

105. The system of claim 103, wherein the software is 15 
further operable to: 

determine a likelihood of success of a potential attack 

based upon the network information; and 
prioritize an attack signature of the potential attack 

according to the determined likelihood of success. 20 

106. The system of claim 103, wherein network informa- 
tion comprises: 

devices coupled to the network; 

operating systems running on the devices; and 

services available on the devices. 25 

107. The system of claim 103, wherein the software is 
further operable to identify potential vulnerabilities of 
devices coupled to the network. 

108. The system of claim 103, wherein the software is 
further operable to confirm an identified potential vulner- 30 
ability. 

109. The system of claim 103, wherein the software is 
further operable to re-enable the particular attack signature 
if the processor utilization drops below a second defined 
threshold. 35 

110. The system of claim 103, wherein the software is 
further operable to re-enable the particular attack signature 
if the memory utilization drops below a fourth defined 
threshold. 
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111. The system of claim 103, wherein the software is 
further operable to maintain the network information in a 
network map. 

112. The system of claim 103, wherein the software is 
further operable to: 

repeat the directing step to obtain updated network infor- 
mation; and 

repeat the prioritizing step using the updated network 
information. 

113. Hie system of claim 103, wherein the software is 
further operable to send a query to a domain mapping 
service, wherein the domain mapping service maintains a 
compilation of network information, and further wherein the 
domain mapping service is operable to respond to such a 
request by sending the network information to a source of 
the request. 

114. The system of claim 103, wherein the software is 
further operable to: 

prioritize a plurality of system services based upon the 

network information; and 
disable a particular system service based upon an assigned 

priority of the particular system service. 

115. The system of claim 103, wherein the device com- 
prises a scan engine. 

116. A system for adaptive network security comprising: 
means for directing, by a device coupled to a network, a 

request onto the network; 

means for assessing a response to the request to discover 
network information associated with determining at 
least one potential network vulnerability; and 

means for prioritizing a plurality of analysis tasks based 
upon the network information, the plurality of analysis 
tasks to be performed on network data traffic which is 
monitored in order to identify attacks upon the net- 
work. 
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